gh-114539: Clarify implicit launching of shells by subprocess by zooba · Pull Request #117996 · python/cpython (original) (raw)

This is the same issue as recently disclosed by Rust (CVE-2024-24576), but as it is intentional operating system behaviour, we consider it to not be a Python vulnerability. If an attacker can influence the executable argument and other arguments, no reasonable validation can detect this case (without actually launching the executable and seeing what happens), and the app is exploitable already.

Rust was already detecting whether the executable was a batch file and changing their behaviour, which is why they chose to apply a fix. Python does no such detection, but relies exclusively on the shell argument.

• Issue: [doc] subprocess security considerations needs a Windows-specific exception #114539

📚 Documentation preview 📚: https://cpython-previews--117996.org.readthedocs.build/